From c569fa0949c53475b6bca191c572dea2917de3f6 Mon Sep 17 00:00:00 2001 From: Sara Date: Tue, 30 Sep 2025 18:31:11 -0400 Subject: [PATCH 1/3] clarifies existing RPM support --- .../strategies/system/rpm/rpm-container.md | 16 ++++++++++++++++ docs/references/subcommands/container/scanner.md | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/references/strategies/system/rpm/rpm-container.md b/docs/references/strategies/system/rpm/rpm-container.md index 501fc66076..b4d3ae5384 100644 --- a/docs/references/strategies/system/rpm/rpm-container.md +++ b/docs/references/strategies/system/rpm/rpm-container.md @@ -4,6 +4,22 @@ The RedHat Package Manager (rpm). > This analysis is only executed when container scanning. +## Important Limitations + +**License Identification**: RPM package detection is supported, but license information extraction has limitations: + +- **Full Support**: Alpine (APK) and Debian (DPKG) packages include complete license information. +- **Limited Support**: RHEL and Oracle Linux (OL) RPM packages are detected but may appear as "unlicensed" because: + - License information is not currently extracted from RPM package databases + - Oracle Linux EPEL repositories are not automatically recognized + - Modern RHEL9/OL9 signature formats may cause fetcher issues + +**Impact**: Customers scanning RHEL/OL-based containers may see hundreds of system packages (like `perl`, `bash`, `coreutils`) marked as "unlicensed" even though license metadata exists in the RPM database. + +**Workaround**: Packages can be manually licensed through the FOSSA web interface, but this creates significant overhead for continuous scanning workflows. + +**Future Enhancement**: Full RHEL/OL support is on our roadmap. If this is important to you, please reach out to support@fossa.com. + ## Discovery Each RPM installation may use one of several backends: diff --git a/docs/references/subcommands/container/scanner.md b/docs/references/subcommands/container/scanner.md index b19163defd..8fca267d3a 100644 --- a/docs/references/subcommands/container/scanner.md +++ b/docs/references/subcommands/container/scanner.md @@ -225,7 +225,7 @@ The following package managers are supported in container scanning: | ------------------------------------ | ------------------ | ---------------------------------------------------------------- | | Alpine (APK) | :white_check_mark: | [APK Docs](./../../strategies/system/apk/apk.md) | | Debian (DPKG) | :white_check_mark: | [DPKG Docs](./../../strategies/system/dpkg/dpkg.md) | -| RedHat (RPM) | :white_check_mark: | [RPM Docs](../../strategies/system/rpm/rpm-container.md) | +| RedHat (RPM) | :warning: | [RPM Docs](../../strategies/system/rpm/rpm-container.md) | | Python (setuptools, poetry, etc.) | :white_check_mark: | [Python Docs](./../../strategies/languages/python/python.md) | | Javascript (npm, yarn, pnpm, etc.) | :white_check_mark: | [Javascript Docs](./../../strategies/languages/nodejs/nodejs.md) | | Ruby (bundler) | :white_check_mark: | [Ruby](./../../strategies/languages/ruby/ruby.md) | From 1aec3d38a88d5cdbed7db91a84fc84d92509b82f Mon Sep 17 00:00:00 2001 From: Sara Date: Tue, 30 Sep 2025 18:38:41 -0400 Subject: [PATCH 2/3] Update docs/references/strategies/system/rpm/rpm-container.md Co-authored-by: Zach --- docs/references/strategies/system/rpm/rpm-container.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/references/strategies/system/rpm/rpm-container.md b/docs/references/strategies/system/rpm/rpm-container.md index b4d3ae5384..df3844e278 100644 --- a/docs/references/strategies/system/rpm/rpm-container.md +++ b/docs/references/strategies/system/rpm/rpm-container.md @@ -16,7 +16,7 @@ The RedHat Package Manager (rpm). **Impact**: Customers scanning RHEL/OL-based containers may see hundreds of system packages (like `perl`, `bash`, `coreutils`) marked as "unlicensed" even though license metadata exists in the RPM database. -**Workaround**: Packages can be manually licensed through the FOSSA web interface, but this creates significant overhead for continuous scanning workflows. +**Workaround**: Packages can be manually licensed through the FOSSA web interface. **Future Enhancement**: Full RHEL/OL support is on our roadmap. If this is important to you, please reach out to support@fossa.com. From df2de590ea361d5fce08d3a7a607fca04fb030fe Mon Sep 17 00:00:00 2001 From: Sara Date: Tue, 30 Sep 2025 18:38:52 -0400 Subject: [PATCH 3/3] Update docs/references/strategies/system/rpm/rpm-container.md Co-authored-by: Zach --- docs/references/strategies/system/rpm/rpm-container.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/references/strategies/system/rpm/rpm-container.md b/docs/references/strategies/system/rpm/rpm-container.md index df3844e278..9db660e06e 100644 --- a/docs/references/strategies/system/rpm/rpm-container.md +++ b/docs/references/strategies/system/rpm/rpm-container.md @@ -14,7 +14,7 @@ The RedHat Package Manager (rpm). - Oracle Linux EPEL repositories are not automatically recognized - Modern RHEL9/OL9 signature formats may cause fetcher issues -**Impact**: Customers scanning RHEL/OL-based containers may see hundreds of system packages (like `perl`, `bash`, `coreutils`) marked as "unlicensed" even though license metadata exists in the RPM database. +**Impact**: Customers scanning RHEL/OL-based containers may see system packages (like `perl`, `bash`, `coreutils`) marked as "unlicensed" even though license metadata exists in the RPM database. **Workaround**: Packages can be manually licensed through the FOSSA web interface.